Report: Personal Internet use at work out of control

Who cares about corporate IT policies? Not employees, who will take "whatever …

As Congress once again considers a response to the latest outbreak of "inadvertent" peer-to-peer file sharing, the P2P software industry will doubtless point to its efforts to bring the problem under control. But the latest survey on the state of enterprise computing security, just released by a Silicon Valley area firewall company, isn't likely to contribute to a general sense of well-being around this issue.

"The allure of high-speed connectivity, the desire to use whatever application they want and the melding of personal and work life means that there is a strong likelihood that many of the applications leveraging increased speeds" in enterprise land "are not business-related," the report suggests.

That's the mildest comment you'll get from this document. Welcome to the dark, high-tech landscape painted by Palo Alto Networks. In this world, "employees" and "users" often resemble the Taliban in south central Asia—aggressive, mobile, undetectable, and impervious to barriers or retaliation. That's pretty much the sense you get reading the company's Application Usage and Risk Report for the Spring of 2009.

Employees "will take whatever steps are necessary to use whichever applications they want," Palo Alto warns. "Some of these applications make employees more productive, while others have absolutely no business value." And, in the wrong hands, some apps are tools for revenge and subversion.

"Angry at being laid off?" the Risk Report continues. "Or moving to a competitor? Launch YouSendIt! and transfer the customer database or the next-generation product plans to an online archive like BoxNet with ease."

Port Hoppers

The Palo Also survey says it tracked the behavior of 900,000 enterprise users covering 60 big organizations across key business sectors between August 2008 and December 2008. The basic thrust of the report is that IT application management is failing across the board. "Applications have standard features to evade controls automatically," the document concludes, "employees use applications to evade control mechanisms purposefully, and most current control mechanisms are ill-equipped to regain visibility and control."

The various flavors of P2P are the chief culprit in this narrative. The audit runs through all the big horror stories—most famously the blueprints for President Obama's helicopter made public by a suspected terrorist on the Gnutella P2P network. Palo Alto found P2P applications in 90 percent of the organizations it surveyed—six on average and up to 17 in some instances, most notably BitTorrent and Gnutella.

These apps often escape IT detection via "port hopping" or "masquerading" as the http protocol, the survey warns. And they're constantly adapting to security measures. "As security administrators developed ad hoc techniques to detect these applications," the company notes, "some P2P developers modified the application to use proprietary encryption as a means of bypassing the firewall and signature-based detection mechanisms." The report cites �Torrent as an application whose developers Palo Alto says have resorted to this sort of evasive programming.

Ditto for a wide range of remote computing applications, such as proxy software that allows an employee to connect to their home computer to browse the Web, or public proxies set up by "well meaning Internet citizens" to let users browse the Web anonymously. Palo Alto found some variety of proxy in 81 percent of the organizations that it surveyed.

Then there are applications like Tor, which, in its advocates' own words, "prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location." Similar applications include Hamachi, GBridge, UltraSurf, and older Unix-based protocols like SSH, which Palo Alto says "sophisticated users" sometimes employ to access their home machines for "non-work related activities."

And don't get the company started on remote access software like Microsoft's SharePoint and Yoics! Almost a third of all SharePoint sites may be "rogue," one study mentioned in the report suggests—basically installations unauthorized by IT management. As for Yoics!, it has "questionable value," Palo Alto warns. "It may be used by as a support tool by IT, but in all likelihood, it is an intrepid user accessing their home machine."

Hogs R Us

Finally, there is the problem of "uncontrollable bandwidth hogs." The ability of all those naughty employees to anonymously access the service of their choice on their enterprise system has encouraged a voracious appetite for social networking, P2P file sharing, and Web-based media. Palo Alto's analysis determined that a little over half of the 48.5TB of data it surveyed were gobbled up by consumer-oriented sites like YouTube and applications like Adobe's Flash—"an active consumer of bandwidth, and a known threat vector," as the company calls it.

By now you've figured out that this survey functions as a promotional document for Palo Alto Networks. Chris King, the firm's marketing director, was candid about this in his conversation with us. The outfit sells a "next generation" firewall service that "turns on and off these applications rather than turning on and off ports," King explained, since so many apps today are designed to get around ports.

But Palo Alto doesn't see the problem as fixable by technology alone. The aforementioned services and applications aren't exactly on the "approved list" of most IT departments, but they often have some business use, the report acknowledges, "so summarily blocking them is not a viable option." Hardware and software can't automatically plug up the system. Somebody in upper management has to help IT figure out which apps really have value to the company, and which only pose risks.

"In order for IT organizations to transform from business impediments to business enablers, they need to deploy solutions that provide visibility and control over applications (not ports or protocols), users (not IP addresses) and content," the Risk Report concludes. In the end, it's that visibility that Palo Alto says it sells.

But the rational optimism that surfaces towards the end of this detailed 20-page document probably won't dispel the overall impression that it conveys—that of an enterprise server landscape in which the proxy sharks, social networkers, P2P file sharers, and YouTube mongers have pretty much taken over the asylum. And chances are that at least a few readers will keep it around as a short version of Bypassing IT Security Management for Dummies.

Matthew Lasar / Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz.